0

Receive the error when executing a Lambda function:

"AccessDeniedException: User: arn:aws:sts::342213474092:assumed-role/testServerlessStack-ExecRole-YZCIWMHK86D8/testServerlessStack-GetFailureKeysByOrder-OR3YS1NLQY0M is not authorized to perform: dynamodb:Scan on resource: arn:aws:dynamodb:us-east-2:342213474092:table/Bar"

The function's execution role has the following permissions:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "dynamodb:Query",
                "dynamodb:Scan"
            ],
            "Resource": [
                "arn:aws:dynamodb:us-east-2:342213474092:table/Foo/*",
                "arn:aws:dynamodb:us-east-2:342213474092:table/Bar/*"
            ],
            "Effect": "Allow"
        },
        {
            "Action": [
                "logs:CreateLogGroup",
                "logs:CreateLogStream",
                "logs:PutLogEvents"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}

The Lambda queries Foo then scans Bar.

Improve this question
3
  • It looks like you have different account numbers in the permissions (dynamodb table ARNs), is that intentional? Commented Jul 9, 2019 at 19:01
  • They match. All the resources (Lambda and DynamoDB tables) are in the same account. Commented Jul 9, 2019 at 19:03
  • I think the problem is in my resource specification, but I can't find docs on that piece of the IAM permission. Commented Jul 9, 2019 at 19:11

1 Answer 1

Reset to default
1

According to the docs, the resources should be formatted as:

To query a table: arn:aws:dynamodb:region:account-id:table/table-name

or: arn:aws:dynamodb:region:account-id:table/*

The same goes for scan:

To scan a table: arn:aws:dynamodb:region:account-id:table/table-name

or: arn:aws:dynamodb:region:account-id:table/*

Have you tried changing the resources to:

"Resource": [
            "arn:aws:dynamodb:us-east-2:342213474092:table/Foo",
            "arn:aws:dynamodb:us-east-2:342213474092:table/Bar"
        ],

Docs here: DynamoDB API permissions

Based on your last comment, this should work for you:

arn:aws:dynamodb:region:account-id:table/*/index/*
Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

The tables I'm querying have indexes. When I adjust the resource names as you've suggested (and it's a good idea), I get failures on the indexes I'm querying. But, if I were to change the resources to "*" (asterisk). It works fine. So, to skip ahead, how can I configure this access without enumerating each table and index or using an asterisk?
The docs show: arn:aws:dynamodb:region:account-id:table/table-name/index/index-name or: arn:aws:dynamodb:region:account-id:table/table-name/index/* for an index, so theoretically you could use: arn:aws:dynamodb:region:account-id:table/*/index/*
That's still using an asterisk, but not at the top resources level.
That's a little too permissive. I was trying to lock the operations down by table. I ended up with something like the following: arn:aws:dynamodb:us-east-2:642113479024:table/Foo and arn:aws:dynamodb:us-east-2:642113479024:table/Foo/index/* I had to do this for each table that use an index and table. I could lock it down to the specific index, but that's too much maintenance for me.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.